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History of commercial programming 
languages (abridged version) 


FORTRAN С C++ Java 


1970 1980 1990 


я "C" design parameters (circa 1970) 
— scarce resources 
а PDP-11/20: 16 Kbytes of memory 
1 Speed of about 1 MIPS 
1 Cost >$10,000 ($50,000 adjusted for inflation) 
— benign environment 
— knowledgeable and trained users 
— barely any connectivity 
a Software mistakes meant crashed programs, lost data 


The world has changed 


я Design parameters (2006) 
— Ample resources (512 Mbytes vs. 8 Kbytes) 
— Hostile environment 
— Untrained users 
— Everything networked 
я Software mistakes can mean catastrophic damage 
— Loss of control over your computer 
— Loss or theft of your data 
— Loss of privacy 
— Continual (hidden) monitoring of your computer use 
я Example (today) 


— VML Buffer Overrun vulnerability for IE (MS security advisory 
925568) 


— 0-day attack enables complete takeover of user's computer 
— Patches being distributed now 


What language is used for systems 
and application programming? 


C (circa 1970), with many opportunities for 
programmer errors 

я Buffer overruns 

я Manual memory management 

я Memory corruption 

m No type safety guarantees 


C++ (circa 1985), with the same flaws. 


Systems and application programs 


m Systems programs 
— Operating systems, including their components. 
1 Device drivers 
Network stack 
1 Middleware (VMs, runtimes, IIS) 
а File systems 
1 Browsers 
— Databases 
я Applications (end-user oriented) 
— Large complex applications 
1 Example: Office. 


— Complex enough that they are "systems" themselves 
1 With some of the same perf requirements. 


Cost of lack of safety and affected 
products 


з CERT (since June 1, 
— At least 23 buffer overrun, memory corruption problems for current 
patched versions of Microsoft products. 
— Products include Windows XP SP2, Windows Server, Word, Excel, 
Powerpoint, IE 6, Exchange 
= Zero-day exploits circulating 
* Example: VML buffer overrun 
* Visit the wrong Web page or open the wrong document and your computer 
is taken over 
— CERT issues: #416092 #806548 #650769 #377369 #455516 #884252 
#908276 #891204 #6836112 #794580 #394444 #159484 #119180 
#159220 #631516 #189140 4936945 #409316 #802324 #303452 
#190089 #446012 #608020 #390044 #340060 
я Constant patching, updates (plus infrastructure for doing that) 
я Unhappy customers 


Safe languages 


a Safe languages provide strong type safety 
— No buffer overruns, incorrect memory deallocation, memory corruption 
issues. 


— Buffer overruns eliminated using array bounds checking 
* Writing beyond array bounds detected, exception thrown 
* Deniaof-service possible, but not a takeover 
— Memory deallocation issues eliminated using GC 
— Type checking eliminates other sources of memory corruption 
я There are plenty of safe languages around 
- Cf, Java 
— They are successfull 


а May have “unsafe” subset as an escape hatch 
— Example: Cft, Modula-3 


— Safety of rest of code depends on correctness of unsafe code. 
— Limits extent of lack of safety 


Additional benefits of safe languages 


я Eliminates bugs that cause crashes, software failures 
я Provides firm foundation for building future software 
— For program analysis 
я Existing tools make significant compromises to deal with С/С++ 
з Мо guarantees that analysis is actually right 
— For showing correctness of programs 
= For specifying program behavior 
я Example: Singularity project extended C# to provide 
checkable message-passing protocols 
— Declare state machine for protocol 
— Check that code actually implements it 


Software should be written in safe 
languages 

я Current software written almost entirely in 

C/C++ 
— Despite the proven security problems that 
causes 

я Future software should be written in safe 
languages 

э So why can't we start using safe 
languages now?! 


The issue: today’s implementations 
aren't appropriate 


Performance requirements for systems programs include: 
я Fast start-up time 
— Consider OS boot 
я Excellent code speed 
— Used by millions, worth it 
a Low latency 
— For interactive/server apps 
m High throughput 
я Small memory footprint 
Typical implementation of a safe language: 
я General-purpose, rich virtual machine with just-in-time 
compilation 


The question 


я How do you implement safe languages so 
that they can be used for systems 
programming? 

я We are investigating this question using 
Bartok 

э Rest of the talk: 

— Design of Bartok 
— Case studies 
— Demo 


Bartok design 


я MSIL from safe languages as input 
— Eliminate dynamic features not needed for systems 
programming (no JIT, no reflection) 


— Allow unsafe code if necessary. 
m Compile to native code 
— Ahead-of-time highly optimizing compiler 
— No runtime overhead, unlike JIT compiler 
a Use a lightweight runtime system 
— Minimal, support only key features 


— Customizable 
1 Choose GC to match per-app behavior 
1 Choose appropriate libraries to run on top of it 


Compiling safe code to native 
code 


1. Compile to 2. Verify 3. Compile а. Link 
MSIL to native 
code 


Safe/unsafe? Baal Ea 


Safe = type-safe. No buffer overruns 


No memory corruption 


Write as much as possible in safe 
code ... even the runtime 


TRS 

(safe) 

Libraries = pa 
*.МЕТ 


Singularity app, 
kernel, device 


driver, ete. 


Lightweight 


(mostly safe) 


.NET features supported 


Supported Not Supported 

= Core types + object model instructions | | я Dynamic class loading 
tegere fats сіва. managed a Reflection very limited 

m Garbage collection, including finalizers, Е Code access security 

weak references СОМ interop 

* Exception handing Va levels of reflection, 

= Lazy type initialization "СА COM interop support 

a Delegates possible 

я Platform invoke. 

э Unsafe code 

я Data layout attributes 

а Generics (coming soon) 


15 


New features added 


‘Control over class initialization 
— Require a class constructor be run at process start up. 
- Specify initialization order 
— Forbid a class constructor (for sensitive start-up code) 
[NoAlloc] attribute 
= Prohibits allocation in a method and all methods it calls. 
— Enforced by compiler 
[Inline] attribute 
— Force inlining of a function 
Interfaces for assemblies (separate from implementation) 
— Compile against interface, not actual assembly 
— Avoid undectared dependencies, break cycles in compilation 
Overlays for type-safe structural casts of arrays of scalars 


Arithmetic on pointer-sized integers, casts between objects and 
integers (needed for wrting GC) 


Native interop 


я Same support as provided by NET 
— Pinned objects, P/Invoke for DLL loading, 
marshalling 
а Plus 
— Static linking 
— Use same data layout for native, managed 
code (no marshalling cost) 
1Auto-generate C++, asm header files 


— Caveat: if native code retains managed pointer, 
programmer must register it (just like .NET) 


Modular runtime system 


Automatic 
storage Virtual table and 
management object layout 


Threading and 
synchronization || Platform invoke 


Type tests 
Core data 
types: Integers, 
Hadas 
handling arrays, strings 


Interface calls 


Modular runtime system 


m Choose GC, other features to include in a 
specific runtime 

я Allows you to customize the runtime to 
your application. 

я Written entirely in C# 
— See how far we can push safe code 
— GC uses unsafe Cs 


— Research topic: how to prove safety of unsafe 
code 


Libraries 


я Choose the libraries to use with your program 
з It isn't "one size fits all" libraries. 
m Bartok supports 


— NET framework libraries 


1 On an “as-needed” basis, we replaced native methods in 
mscorlib with managed versions. 
a V1.0 and v1.1 support 


— Library for an OS kernel (such as Singularity) 
— Library for Singularity applications. 


Compiler 


Compiler optimizations 


m Key to delivering the performance for systems 

programming 
m Choose a different design point than VMs 

— Ahead-of-time compilation, instead of just-in-time compilation 
я Benefits: 

— More time for compilation 

— Easier to implement than a JIT 

я № trade-off between compile time and program running time 

э Optimizations 

— Includes classic compiler optimizations (about 13) 

— Per-procedure OO/safe language optimizations (about 17) 


= Interprocedural optimizations that are too expensive for just-in- 
time compilation (about 8) 


Classic optimizations 


я Scalar optimizations 

- Copy propagation 

— Constant propagation 
Constant-folding 
= Algebraic simplifications 
Common-subexpression elimination 
Loop-invariant removal 
Dead-code elimination 
Reverse copy propagation of temporaries 
= Strength reduction of induction variables 
a inlining 
m Сопіго!-Пом optimizations: 

— Jump elimination 

= Short-circuiting 

— Loop header cloning 


Object-oriented or managed code 
optimizations 


Also implemented by CLR 
я Inlining fast allocation path 
я Array-bounds check elimination 
m Array store check elimination 
я Null check elimination 
я Type-test and type cast elimination 
э Optimize class initialization 
- Eliminate redundant checks 
— Fast/slow path split 
я Redundant field load/store elimination 
a Inlining fast allocation path 


Additional optimizations 


Bartok adds: 
я Optimized type test implementation 
m Optimize convert operations 
— Widening/narrowing introduced by use of argument stack 


= Break interface calls into separate lookup and call operations [CLR 
does polymorphic inline cache} 


a Passing small structs in registers 

а Compress garbage collection tables 

а Compress exception tables 

а Pre-allocate initialized arrays created in class constructors 
а Make Thread GetCurrentThread an intrinsic 

а Code instead of large tables for internationalization 


Interprocedural optimizations 


m These are optimizations across methods 
— Сап range from a class to a whole program 
— Larger = more compile time, but better code 
— It's a knob that you dial 

W Affects patching/versioning story 
— Perf win ranges from 0-17% 


— May be worth it for some apps and scenarios 
я Examples: kernel 


nterprocedural optimizations 


Tree-shaking 


— Eliminate unreachable or unused classes, 


interfaces, methods, and fields 
Devirtualization of virtual calls 
Eliminate unused formal parameters 


Interprocedural array-bounds check 
elimination 


Interprocedural array store check elimination 
Interprocedural null check elimination 


Interprocedural type-test and type cast 
elimination 


Redundant field load/store elimination 


Compiler and runtime interaction 


Writing runtime in managed code has advantages over 
using C/C++; 

m Dogfooding 
— Forces us to make the compiler better 
— Confront problems of writing systems code ourselves 

m Compiler and runtime system have well-defined 
boundary 


— Compiler reads primitive operations from runtime, inlines them to 
‘expose information 


з Examples: allocation sequence, write barriers, type tests, lock 
operations. 
- Simplifies changing runtime 
з Usually knowledge built into compiler 
Consider supporting 7 GCs that way 
— Few native/managed transitions 


я Compiler can automatically specialize the runtime 


Tools 


я Reuse existing native tools 

— Too costly to build everything on our own. 
я Binary looks like C++ executable 
я Can use: 

— Existing linker 

— Existing Visual Studio C++ debugger 

— Windbg kernel debugger 

— Existing native profilers 


Outline 


m Design 
я Case studies 
= Demo 


Case study: Singularity Research OS 


я Microsoft Research has written an entire 
operating system in (mostly) safe code. 

я Goal: develop techniques for building more 
dependable systems. 

m Key approach: use safe languages at all levels 
— Device drivers 
— OS components 
— Applications 


я See http://singularity for details 


Case study: Singularity Research OS 


я Bartok is the compiler and runtime system 
for Singularity 
я We have a working OS 
— Complete with kernel, device drivers, network 
stack, etc. 
— Boots on real hardware 
— Able to run SpecWeb99 


Singularity OS architecture 


* Closed Kernel 
= 95% written in C 


= 17% of fles contain unsafe С# 
mer ger mr mm а 5% of fles contain 86 asm or C++ 
extension Ñ server | stack f driver — OSsenicesin processes 
— device drivers in processes 
9 kernel closed atboottime 
я Software isolated processes (SIPs) 
== == = = al user code is verified safe 
‘some unsafe code in trusted runtime 


= processes closed at start time 
* Safe and efficient communication 
Via strong interfaces 
= channels between processes 
— channel behavior is specified, checked. 
checked behavior allows us to make — 
7 Sommuncaton elici 
: safety key to verification & 
Wu tection 


Micro Benchmarks 


Atong 3000» Cost (CPU Cycles) 

"P rons | MER [ro 
т kernel 878 437 627 
Es 1920) saoo) буры 
aiam start 1,030,000 719,000. 5,380,000 
"em 


— All processes run in ring 0 
— Static verification replaces hardware protection 
= Optimizing ahead-of-ime compiler (not JIT) 


Memory footprint 


Memory footprint 
“Hello World” process. 
FreeBSD | Linux26.11 | Windows XP. 
53  |(RedHatFC4) | (5Р2) 
C - static lib 232K 664K 
C++ static lib 704K 1216K 
C#- wi GC 


я Cif process w/ GC has similar memory footprint to С++ 
* minimal process (no GC or exceptions) is ~16K 


Macro Benchmark 


я SPECweb99 dynamic and static web content benchmark 
— Singularity implementation uses 6 processes: 
Cassini HTTP Server 
SPECweb content extension 
TCPIIP Stack 
* NIC Driver 
* File System 
* Disk Driver. 


Content Extn 


Throughput 
орвес 


‘Singularity | 247 


Win Server 2003 (IIS) 761 


"Diskbound. Limited by caching algorithms in experimental FS implementation 


Case study: compiling Phoenix 


я Phoenix is Microsoft's new compiler and 
programming tools infrastructure. 

я Designed for building static analysis tools 
and all kinds of compilers (JIT, PreJIT, 
native C++) 


Case study: compiling Phoenix 


я Phoenix is written in C++ 
— Can compile, link and run as 100% native 
1 For example, JIT compiler must be native 
— Or can compile, link and run as 100% managed 


1 Managed configurations support plug-in model for user 
extensions 


я Done with homebrew “Dual Mode" technology 


— Implemented with C++-like Object Definition language 
(PDL) * heavy use of macros 


Compiling Phoenix with Bartok 


я Took Phoenix compiler and tools 
infrastructure 

m Took c2 client (C++ compiler backend) 

я Approximately 1.5 million lines of code 
(including synthesized code) 

я Used Bartok to compile managed c2 
client, Phoenix DLLs to native code 


Results 


m Working c2 compiler 
— Passes 1592 regr tests 
— Compiles "phx-all” benchmark (early version of Phoenix sources 
placed in one file) 


я Performance of Phoenix c2 compiling "phx-all" 


Version Exec time | Mem footprint 
Native C++ 100% 100% 
Bartok 137% 158% 
CLR (JIT) 197% 126% 


“Bartok results can be improved using product quality code generator, 
product quality GC, additional opts 


“CLR results not verified by CLR team 


Safety checks are inexpensive 


Reductions in execution time from disabling 
all safety checks 
я Singularity SpecWeb99 benchmark: ~5% 
я Phoenix c2: ~4% 
m 12 IMPACT programs (translated from 
C++ to C#) 
— Median reduction is ~3% 
— Some are faster than C++ versions 


Outline 


m Design 
я Case studies 
я Demo 


Conclusion and next steps 


@ We've demonstrated viability of using safe languages 
for systems programming 
- Singularity 
- Building a large app 
Ф Will help with security, reliability problems for the 
company and industry. 
@ Next steps: 
- Меге talking to DevDiv Product Units about productization. 
= Their question: are there any customers for this? 


— Would you or your customers want to use a safe language for 
systems or application programming? Let us know. 


History of commercial programming 
languages (abridged version) 


FORTRAN C C++ Java 


1970 1980 1990 


Modular runtime system 


Automatic 
storage Virtual table and 
management object layout 
Threading and 
synchronization Platform invoke 


| etes | tests 
Core data 


types: integers, 
I 
handling arrays, strings 


Modular runtime system 


1. Gen. semispace E 
2. Gen. mark- Automatic 
sweep-compact — — storage Virtual table and 
3. Adaptive version >, management object layout 
of 1+2 d 
4. Mark-sweep FAM 
5. Concurrent Threading and 
mark-sweep synchronization || Platform invoke 
6. Ref counting 
7. Deferred ref — —— 
counting Type tests 
Core data 
types: integers, 
Exception floating point, 
handling arrays, strings 


Interface calls 


Compiler 


Macro Benchmark 


я SPECweb99 dynamic and static web content benchmark 
- Singularity implementation uses 6 processes: 

3 Cassini HTTP Server 
я SPECweb content extension 
a TCP/IP Stack 

NIC Driver 

File System 

3! Disk Driver 


